<p>A policy that allows identities to access all resources in an AWS account may violate <a
href="https://en.wikipedia.org/wiki/Principle_of_least_privilege">the principle of least privilege</a>. Suppose an identity has permission to access
all resources even though it only requires access to some non-sensitive ones. In this case, unauthorized access and disclosure of sensitive
information will occur.</p>
<h2>Ask Yourself Whether</h2>
<p>The AWS account has more than one resource with different levels of sensitivity.</p>
<p>A risk exists if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>It’s recommended to apply the least privilege principle, i.e., by only granting access to necessary resources. A good practice to achieve this is
to organize or <a
href="https://aws.amazon.com/blogs/security/simplify-granting-access-to-your-aws-resources-by-using-tags-on-aws-iam-users-and-roles/">tag</a>
resources depending on the sensitivity level of data they store or process. Therefore, managing a secure access control is less prone to errors.</p>
<h2>Sensitive Code Example</h2>
<p>The wildcard <code>"*"</code> is specified as the resource for this <code>PolicyStatement</code>. This grants the update permission for all
policies of the account:</p>
<pre>
import { aws_iam as iam } from 'aws-cdk-lib'

new iam.PolicyDocument({
    statements: [
        new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            actions: ["iam:CreatePolicyVersion"],
            resources: ["*"] // Sensitive
        })
    ]
})
</pre>
<h2>Compliant Solution</h2>
<p>Restrict the update permission to the appropriate subset of policies:</p>
<pre>
import { aws_iam as iam } from 'aws-cdk-lib'

new iam.PolicyDocument({
    statements: [
        new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            actions: ["iam:CreatePolicyVersion"],
            resources: ["arn:aws:iam:::policy/team1/*"]
        })
    ]
})
</pre>
<h2>Exceptions</h2>
<ul>
  <li> Should not be raised on key policies (when AWS KMS actions are used.) </li>
  <li> Should not be raised on policies not using any resources (if and only if all actions in the policy never require resources.) </li>
</ul>
<h2>See</h2>
<ul>
  <li> <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege">AWS Documentation</a> - Grant least
  privilege </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/732">CWE-732 - Incorrect Permission Assignment for Critical Resource</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/284">CWE-284 - Improper Access Control</a> </li>
</ul>
